NetScaler ingress controller

Deploy NetScaler Cloud Controller using NetScaler Operator

Introduction

NetScaler Cloud Controller creates and maintains route entries for pod networks in the appropriate Azure route table.

Note:

NetScaler Cloud Controller only creates Azure routes between NetScaler and the Azure Red Hat OpenShift (ARO) cluster that resides in the same resource group.

This section provides information about deploying, configuring, and managing NetScaler Cloud Controller within Azure and ARO environments.

Prerequisites

  1. An active Azure subscription.

    Note down the subscription ID.

  2. An Azure account with sufficient permissions to create and manage resources. You must have access to create resources within the resource group and manage service principals.

  3. Note down the TENANT_ID, CLIENT_ID, and CLIENT_SECRET for your Azure account.

  4. A running ARO cluster in Azure (version 4.11 or later).

  5. The ARO cluster and the subnet to which the route needs to be established must be in the same VNet.

    Note down the following details: Resource Group Name, VNet Name, and Subnet Name and Azure location where the ARO cluster and NetScaler are located.

  6. Create a secret as described in the namespace where you want to deploy NetScaler Cloud Controller.

    oc create secret generic azsecret --from-literal=clientid="<CLIENT_ID>" --from-literal=clientsecret=”<CLIENT_SECRET>” -n <namespace>
    <!--NeedCopy-->
    
  7. Create a service principal and assign a custom role to the service principal. For information, see Create service principal and assign a role.

  8. Deploy NetScaler Operator. For information on how to deploy NetScaler Operator, see Deploy NetScaler Operator.

Create a service principal and assign a role

Create a service principal and assign a role to it to set up the authentication details for the NetScaler Cloud Controller to manage Azure resources. There are two scenarios to consider while creating a service principal and assigning a role to it described as the following.

Case I: The subnet on which the routes are to be created is not part of the ARO cluster

Follow the steps to create a service principal with the desired roles or add the roles to an existing service principal.

Note:

If a service principal exists, skip to step 9 to assign a role to the service principal.

  1. Log in to Microsoft Azure Portal.

  2. Go to the App registrations service.

  3. Click New Registration.

    new registration

  4. Enter the details such as name and supported account types.

  5. Click Register to create your service principal.

    Note down the clientID from your service principal details.

    client id

  6. Click Certifications & Secrets in the left pane and click New client secret.

    client secret

  7. Enter a description and choose an expiry.

    client secret details

  8. Note down the secret value. This value is clientSecret.

    client secret value

  9. Go to Resource Group → <Your Resource Group> → Access Control (IAM).

    Select the resource group where the ARO cluster and the VNet exist.

  10. Click Add and select Add custom role.

    add custom role

  11. Add the following custom.JSON sample.

    {
    "properties": {
        "roleName": "NetScaler Cloud Controller Role",
        "description": "Allows managing cloud controller role",
        "assignableScopes": [
            "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Network/routeTables/routes/write",
                    "Microsoft.Network/routeTables/routes/read",
                    "Microsoft.Network/routeTables/routes/delete",
                    "Microsoft.Network/routeTables/delete",
                    "Microsoft.Network/routeTables/write",
                    "Microsoft.Network/routeTables/read",
                    "Microsoft.Network/virtualNetworks/subnets/read",
                    "Microsoft.Network/virtualNetworks/subnets/write"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
    }
    
    <!--NeedCopy-->
    
  12. Modify the custom_role.json file as per your desired settings.

    You must add your Resource Group and Subscription ID in the JSON file.

  13. Select Start from JSON in Baseline Permissions and upload the modified custom_role.json file.

    add custom role

  14. Click Review + Create.

  15. Go to Add role assignment.

    add role assignment

  16. Search for the custom role created in step 14.

  17. Select the role, and press next.

    search custom role

  18. Under Members, select the service principal created in step 5.

    add role assignment

  19. Click Review + Assign.

Case II: The subnet on which the routes are to be created is part of the ARO cluster

In this case, you must have access to the service principal created during the OpenShift installation. The automatically created service principal during the ARO installation has a aro-app- prefix.

  1. Go to Resource Group → <Your Resource Group> where the ARO cluster and the VNet exist. Go to Resource Group → <Your Resource Group> → Access Control (IAM)

  2. Click Add and select Add custom role.

    add custom role

  3. Copy the following in a JSON file named custom_role.json.

    {
    "properties": {
        "roleName": "NetScaler Cloud Controller Role",
        "description": "Allows managing cloud controller role",
        "assignableScopes": [
            "/subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<RESOURCE_GROUP_NAME>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Network/routeTables/routes/write",
                    "Microsoft.Network/routeTables/routes/read",
                    "Microsoft.Network/routeTables/routes/delete",
                    "Microsoft.Network/routeTables/delete",
                    "Microsoft.Network/routeTables/write",
                    "Microsoft.Network/routeTables/read",
                    "Microsoft.Network/virtualNetworks/subnets/read",
                    "Microsoft.Network/virtualNetworks/subnets/write"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
    }
    
    <!--NeedCopy-->
    
  4. Modify the custom_role.json file as per your desired settings.

    You must add your Resource Group and Subscription ID in the JSON file.

  5. Select Start from JSON in Baseline Permissions and upload the modified custom_role.json file.

    add custom role

  6. Click Review + Create.

  7. Click Add role assignment.

    add role assignment

  8. Search for the custom role created in step 4. Select the role, and click next.

    search custom role

  9. In the Members section, select the service principal that is managing the OpenShift cluster.

    add role assignment

  10. Click Review + Assign.

Steps to deploy NetScaler Cloud Controller instance

  1. Log in to the 4.x OpenShift console.

  2. Navigate to Operators > Installed Operators and select NetScaler Operator.

NetScaler Ingress Controller Operator

  1. Go to NetScaler Operator, click the NetScaler Cloud Controller tab, and then click Create NetScaler Cloud Controller.

    deploy cloud controller

    The YAML for NetScaler Cloud Controller CRD is displayed. Optionally, you can select Form view button and update the parameters in a form.

  2. Edit the .YAML file to add the following values obtained in the prerequisites section.

    Create cloud controller

    Refer to the following table for the descriptions of the fields in the displayed YAML.

    Parameter Mandatory/Optional Default value Description
    name Mandatory netscalercloudcontroller-sample Name of the NetScaler Cloud Controller instance.
    acceptLicense Mandatory no Set this value to Yes to accept the NetScaler Cloud Controller EULA.
    affinity Optional N/A Affinity labels for pod assignment.
    nodeSelector Optional N/A The node label key:value pair to be used for nodeSelector option in NetScaler Cloud Controller deployment.
    podAnnotations Optional N/A Map of annotations to add to the pods.
    tolerations Optional N/A The tolerations for the NetScaler Cloud Controller deployment.
    Parameter Mandatory/Optional Default value Description
    azure  
    clientsecret Mandatory N/A Secret name created in the prerequisites section.
    image Mandatory quay.io/netscaler/netscaler-cloud-controller@shavalue of latest release The NetScaler Cloud Controller image hosted on Quay.io.
    location Mandatory N/A Azure location.
    pullPolicy Optional IfNotPresent The NetScaler Cloud Controller image pull policy.
    resourcegroupname Mandatory N/A Resource group name where the VNet exists.
    resources Optional N/A CPU/memory resources for a NetScaler Cloud Controller container.
    subnetname Mandatory N/A Azure VNet subnet name from where the route is to be established to the ARO cluster. This subnet has to be in the same VNet as the same ARO Cluster.
    subscriptionid Mandatory N/A Subscription ID for your Azure account.
    tenantid Mandatory N/A Tenant ID of the Azure service principal.
    vnetname Mandatory N/A Azure VNet name in which the required subnet and the OpenShift Cluster exists.
  3. After updating the values for the required parameters, click Create.

  4. Navigate to the Workloads > Pods section and verify whether the NetScaler Cloud Controller pod is up and running.

After the controller pod is up and running, the required route table with the subnet is created.

Notes:

  • The controller creates a route table and associates it with the given subnet if the route table does not exist. The format of the new table will be <SUBNET_NAME>_<LOCATION>_rt.
  • To avoid conflicts with routes created/updated by the NetScaler Cloud Controller from other automation processes or users, the routes managed by NetScaler Cloud Controller start with the prefix NSCC_, followed by a hash value for tracking. Do not create routes with the same name prefixes to avoid conflicts.

The following roles are installed when NetScaler Cloud Controller is deployed. NetScaler Cloud Controller requires these roles to manage its CRD and get node-specific information.

API Group Resources Verbs
rbac.authorization.k8s.io clusterrolebindings create, delete, get, list, patch, update, watch
rbac.authorization.k8s.io clusterroles create, delete, get, list, patch, update, watch
core nodes All
core serviceaccounts create, delete, get, list, patch, update, watch
apps deployments create, delete, get, list, patch, update, watch
core pods create, delete, get, list, patch, update, watch, serviceaccounts
Deploy NetScaler Cloud Controller using NetScaler Operator